CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow
The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow lets users sign on, create a new account, or recover an account.
Purpose
The CIAM-Passwordless-Protect-Registration-Authentication-Account-Recovery-Main Flow is the initial flow in the PingOne for Customers Passwordless solution. It enables existing users to sign on using a password, uses the CIAM-Passwordless-Protect-Account-Registration-Subflow flow to let new users register, uses the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow to let existing users recover their account, and uses the CIAM-Passwordless-Protect-Device-Authentication-Subflow flow to let existing users sign on using a known device.
Structure
This flow is divided into sections using teleport nodes:
- Flow Configuration
-
Uses multiple function nodes to save the variable and parameter values so that the correct values are available in the flow and in subflows. The flow then progresses to the Check for Session section.
- Check for Session
-
Uses a PingOne node to determine whether the user has an existing session.
If the user has an existing session, a hidden HTML node initiates the sk-risk component, then the flow progresses to the PingOne Protect threat detection analysis section. When this section completes, the flow progresses to the Return Success section.
If the user does not have an existing session, the flow checks for any existing session tokens and uses a PingOne node to delete the prior session before the flow progresses to the Offer Passwordless Sign On Page section.
- Check if user is active
-
Uses a PingOne node to retrieve user information, then uses a series of comparison nodes to verify that the user is enabled, that the user can authenticate, and that the user’s account status is active. If the user information cannot be found or if a condition is not met, an error message is displayed. If the conditions are all met, the flow returns to the previous section.
- Offer Passwordless Sign On Page
-
Uses a compare node to check if passwordless is required. If passwordless is not required, an HTML page is displayed with options to sign on using a password, recover from a forgotten password, or register a new account.
-
The sign-on option uses a PingOne to find the user, then progresses to the PingOne Protect threat detection analysis section. When that section completes, a function node checks whether the user is enabled, then the progresses to the Password Authentication section.
-
The forgot password option progresses to the Call Account Recovery Sub-Flow section.
-
The register option progresses to the Call Account Registration Sub-Flow section.
-
If passwordless is required, the flow progresses to the Require Passwordless Sign On Page section.
- Require Passwordless Sign On Page
-
Presents the user with an HTML page with options to sign on, recover the account, or register a new account.
The sign-on option progresses to the Check if user is active section, then progresses to the Call Device Authentication Sub-Flow section. The forgot password option progresses to the Call Account Recovery Sub-Flow section. The register option progresses to the Call Account Registration Sub-Flow section.
- Call Account Recovery Sub-Flow
-
Invokes the CIAM-Passwordless-Protect-Account-Recovery-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
- Call Account Registration Sub-Flow
-
Invokes the CIAM-Passwordless-Protect-Account-Registration-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Return Success section depending on the subflow result.
- Call Device Authentication Sub-Flow
-
Invokes the CIAM-Passwordless-Protect-Device-Authentication-Subflow flow, then progresses to either the Offer Passwordless Sign On Page section or the Call Check Agreement Sub-Flow section depending on the subflow result.
- Password Authentication
-
Uses two PingOne nodes to look up the user and validate the provided password. If the password is correct and current, the flow progresses to the Return Success section. If the password is correct but must be changed or is expired, the flow progresses to the Call Change Password Sub-Flow section.
- Call Change Password Sub-Flow
-
Invokes the CIAM-Passwordless-Protect-Change-Password-Subflow flow, then displays a success message and progresses to the Return Success section if the subflow completes successfully.
- Call Check Agreement Sub-Flow
-
Invokes the CIAM-Passwordless-Protect-Agreement(ToS)-Subflow flow, then checks if verification is required. If so, the flow progresses to the Call Verify Email Sub-Flow section. If not, the flow progresses to the Handle Remember Me if Applicable section.
- Call Verify Email Sub-Flow
-
Uses a PingOne node to send a verification code to the user’s email, then invokes the CIAM-Passwordless-Protect-Verify-Email-Subflow flow. When the subflow completes the flow progresses to the Handle Remember Me if Applicable section.
- Handle Remember Me if Applicable
-
Adds Remember Me as an authentication method if it is enabled, then progresses to the Return Success section.
- PingOne Protect threat detection analysis
-
Uses a PingOne node to look up the user, then invokes the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow.
If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow completes successfully, the PingOne Protect values are saved as variables. A function node then checks whether the device is known, and if not a PingOne node sends an email notification to the user.
A function node then examines the risk score.
-
If the risk score is low, the flow returns to the previous section.
-
If the risk score is medium, a PingOne node retrieves the user’s MFA devices and a function node checks whether the user has zero MFA devices. If the user has zero MFA devices, a PingOne node adds the user’s email as an MFA device and an HTML page prompts the user to enter the OTP sent to that email. Additional PingOne nodes then activate the MFA device and send an email confirming the device creation. The flow then returns to the previous section.
-
If the risk score is high, the flow progresses to the Return Error section.
If the CIAM-Passwordless-Protect-Threat-Detection-Subflow subflow does not complete successfully, any available PingOne Protect values are saved as variables. PingOne nodes send an email notification to the user informing them that their account is disabled and update the user’s status. The flow then progresses to the Return Error section.
- Return Success
-
Checks to see if a session should be created. If so, it creates a session with a duration specified by a variable. If not, it creates a session with a duration of 1 minute. The flow then sends a success response, indicating that the flow completed successfully.
- Return Error
-
Displays an error screen and sends an error JSON response, indicating that the flow completed unsuccessfully.
Variables and parameters
This flow uses the following variable or parameter values.
Variable name | Parameter name | Description |
---|---|---|
|
|
Indicates whether authentication through Apple is enabled in your environment. |
|
|
Indicates whether authentication through Facebook is enabled in your environment. |
|
|
Indicates whether authentication through Google is enabled in your environment. |
|
|
Indicates whether passwordless authentication is required for sign-on. |
|
|
Indicates whether magic link is enabled in your environment. |
|
None |
The maximum time a user can spend in the flow before it times out. |
|
None |
The HTML style to use for your company logo. This value is only used when the flow is launched with a redirect. |
|
None |
The URL for your company logo. This value is only used when the flow is launched with a redirect. |
|
None |
Displays the name of your company. This value is only used when the flow is launched with a redirect. |
|
|
A boolean that controls whether account recovery is enabled in your environment. |
|
|
A boolean indicating whether one-time passcode using sms is enabled in your environment. |
|
|
A boolean indicating whether one-time passcode using email is enabled in your environment. |
|
|
A boolean indicating whether FIDO passkey is enabled in your environment. |
|
|
A boolean indicating whether agreement is enabled in your environment. |